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Who? 



► Principal Consultant 

^S fishnet 

SECURITY 

► Associate Professor at UAT 

► Founder / Hexagon Security 
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The Net 








The Web 
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Connecting the App Layer 



I * Increased connections at App Layer 

► Mesh of content 

► Increased attack surface 

► Content delivery 

* Less Validation with Higher Trust 

► Assumptions about content 

► Assumptions about users 

► Content unknowns 








API Connection Diagram 



* Connection layer and uniformed interface 



Data and Services 









API Vulnerabilities 



I * Focus on Use vs Abuse 

► No threat modeling 

► Scoped out of testing or not identified 

► Many assumptions made about APIs 

* After the fact design or addition 

► API bolted on to application 

► APIs for Mobile devices 

► APIs for clients of varying girth 








API Problems 



* APIs have the same problems as apps 

► Authentication 

► Authorization 

► Session management 

► Accountability 

* Often not fleshed out at implementation time 

► Beta in production 

► Lack of proper testing 








API Services 



I * Generally two types of API services 

► Consumption 

► Integration 

* One API to rule them all 

► Twitter 

► Facebook 

► MySpace 
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APIs Make Great Targets 
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Increased Attack Surface 
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Depth 
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Elevated Privileges 
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Higher Trust Levels 
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Good News 



* Common protocols and data formats 

► Less vulns from reinvention 

► Readable or Understandable 

► Common tools can be used 

* Common Tools 

► Wireshark 

► Burp 

► WebScarab 
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API Testing 



Presence 



; 



Purpose 
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Structure 
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Violate 
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Evaluate 







Identification 



I * Two methods for identification 

► Zero knowledge 

► Documented 








Zero Knowledge 



' * Steps 

► Search for applications 

► Check site for applications 

► Use tools to identify API calls 

* Why zero? 

► Internal dev use only 

► Business partners 

► Select developers 








Documented 



* Full documentation =Win 

► Typically the case 

► Architecture information 

► Capabilities 

* Easier identification of: 

► Structure of calls 

► Depth of functionality 

► Case information 








More Doc Goodness 



* Server to Server APIs 

► Hard to identify without documentation 

► Lack of client exposure 

* Language specific API modules 

► PHP 

► Python 

► Perl 
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API Documentation 



* 
* 
* 



http://delicious.com/help/api 

http://wiki.developers.facebook.com/index.php/API 

http://wiki.developer.myspace.com/index.php? 
title=Category:OpenSocial_v0.9_REST_Resources 



* http://apiwiki.twitter.com / 








Identify API Functions 



* Determine depth of API 

► Functions not available to "standard" users 

► Obvious "elevated" functionality 

► Any Segregation? 

* How is content integrated? 

► Same domain? 

► Render on same canvas? 

► Does it create multiple paths to functionality? 








Identify Structure 



* Structure of call 

► What does the API expect? 

* Data Formats and Transport 
Text / HTML 
JSON 
XML 
SOAP 
HTTP, REST, AM F, etc. 








Simple API Call 
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http://api.msappspace.com/proxy/relay.proxy? 

opensocial_authtype=SIGNED&opensocial_token=Tw3mVs 

JBk4nFmT3jQOYRgZoUPPWtSEWrH7yocBPx/ 

CJZIvRftB5vH6dr58Tcyl_p1 WLn9Qn1 IDt4zwpkyG83pWY4sz 

1BuiVV+K56l8SKzcdQ=&opensocial_url=http%3A// 

db4440e3.fb.joyent.us/truthbox4/confessions.php 
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Delicious Example 




* http://delicious.com/help/api 

* Get all bookmarks 

► GET http.7/del.icio.us/api/[username]/bookmarks 

* Add a new bookmark 

► POST http://del.icio.us/api/[username]/bookmarks 

* Modify a bookmark 

► PUT http://del.icio.us/api/[ username]/bookmarks/[hash] 

* Delete a bookmark 

► DELETE http://del.icio.us/api/[ username]/bookmarks/[hash] 







Bolt-on Fail 



/ * Old skool bolt-on functionality 

► Large potential for fail 

► Fixes often not integrated 

► Creating multiple paths to functionality 

* Wrapping services can lead to fail 

► Bypassing client 

► Calling unintended functionality 
• eg Register in Jabber 








Dropbox 
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£ Dropbox 





Open 

Open With ► 






Dropbox ► 


Browse on Dropbox Website... 

View Previous Versions... 

r 




Move to Trash 
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hulu 



Hulu Desktop 



get /huludesktop. swf?ver=0.i.O http/1.1 
Accept: */* 

Accept-Language : en-us 

x-f 1 ash-ver s ion: 10 , , 42 B 34 

Accept-Encoding: qzip, deflate 

user-Agent: MozilTa/4.0 (compatible; msie 7.0; windows NT 6.1; Trident/4.0; 5LCC2; . net clr 2.0.50727; 

3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 

Host: download. hulu. com 

connecti on : Keep-Al i ve 

HTTP/1. 1 200 OK 

Server: Apache 

ETag: "b2d723ble2e01b92a22cc97Bd4339ab6: 1264039064" 

Last-Modified: Thu, 21 Jan 2010 01:57:44 GMT 

Accept-Ranges : bytes 

content-Length: 476564 

Content-Type : appl i cati on/x-shockwave-f 1 ash 

Expires: Tue, 26 Jan 2010 14:56:43 GMT 

cache-control: max-age=0, no-cache, no-store 

Pragma: no-cache 

Date: Tue, 26 Jan 2010 14:56:43 GMT 

Connecti on : keep-al i ve 
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Pandora 
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ff^n 


\ 219197.319811 


. www.Dando 


'a. com 


fa HTTP/XML HTTP/ 1.1 200 OK 


±] 
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^ extensible Markup Language 


> <?xml 








^ <methodResponse> 










^ <params> 










^ <param> 










^ <value> 










^ <struct> 










^ <member> 










^ <name> 










isCreator 










</name> 










^ <value> 










^ <boolean> 
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Violating the Canvas 
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MySpace.com - Nathan 
D (it) Q ( http: //profile] 

I 



« myspace.com 
a plan h for friends- 



ife -JACKSONVILLE, Florida - www.mvspace.corn/372734803 
The page at http://api.msappspace.cotn says: H&MyTolo 
name=Pants Secret Cookie 
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Home Mail t Profile t 



Nathan 




"Maximum 
Mimimalist" 

Male 

31 years old 

JACKSONVILLE, 

Florida 

United States 

Online Now! 

Last 

Login: 7/29/2008 



Mood: sneaky W 
View My: Pics | Videos 



Contacting Nathan 


[X<r Send Message 


0^ 


Forward to Friend 


+q Add to Friends 


sr 


Add to Favorites 


g* IM / Call 
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Block User 


+ QO Add *° Grou P 


/S 


Rank User 



CSRFer 



Coming Soon 



Google" 



c 



OK 



My Account Sign Out 




Nathan's Latest Blog Entry [Subscribe to this BlogJ 
[View All Blog Entries] 

Nathan's Blurbs 

About me: 

I am Nathan. I am a security professional and a professor at a University. I 
spend most of my time ponderirg problems o* the worlc' and trying to work 
solutions for them. I have been involved with art and music most of my life e 
well. 

Who I'd like to meet: 

All of the members of the A-Team. 

Are you down witti the Hex? 








API as Anon Proxy 



* Attack anonymization via shared APIs 




Site /Application 





Attacker 







Attack Anonymization 
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http://www.a.hi5modules.com/gadgets/proxy? 

refresh=1 &v=1 23241 4886550&url=http://www.fmodules.com/gadgets/ 

makeRequest?refresh=1&url={target}&httpMethod=GET 








No Place Like 1 27.0.0. 1 



* Hi5 API localhost dev page. 




HiS API (beta) 




C ,' # file:///Users/nathan/DGsktop/p.html 




About Blog Advertise Careers Develop Team About Us Partners hips Press 




HIS API (beta) 
Introduction 

Welcome to the API for HiS.ccm We've got a full SOAP AP , ana even a few REST e n dpoints. Feel f r ee to 

chec-; it cut! 

Disclaimer 

" n e AP se^ ce is curre p t y n beta test, this means t n at interfaces ca n change without warning. 

Senc email to apl-request@hl5.com if you intend to access this in any way. 

SOAP 

This API is exposed through a set of WSI Basic Profile -compliant SOAP vi.i endpoints. The 
API supports XML-binary Optimized Pacaltging (XOP) and SOAP Message Transmission 
Optimization Mechanism (MTOM) for transmission of binary data. Hue SOAP API is fully 

described by the following endpoints: 

Namespace htlp://apLhi.q.com/ (wsdl): 

» AlbumsApiService 

Namespace http://api.li ifj.com/auth (wsdl): 

* AuthApiService 

Namespace http://apLhi.q.com/feed (wsdl): 

* FeedApiService 

Namespace http://apLhi5.com/fu (wsdl): 

* FriendUpdateApiScrvice 

Namespace http://api.hi.q. com/message (wsdl): 



Developer Resources 

Developer Center 

Platform Road map 

Join the API Group 

Read API Documentation 

Read OpenSocial Documentation 

Agree to our Terms of Serv ce 

Design Profile Skins 



Home 

Introduction 
downloads 

SOAP 

AlbumsApiService 
AuthApiService 
FeedApiService 
FriendU pdateAp iService 
MessageAp iService 
MetricsAp iService 
Notification Api Service 
PresenceAp iService 
ProfileApiService 
StatusApiService 
TestApiService 
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No Place Like Home 



http://www.a.hi5modules.com/gadgets/proxy? 
refresh=1 &v=1 23241 4886550&url=http://1 27.0.0.1 



http://www.a.hi5modules.com/gadgets/proxy? 
ref resh=1 &v=1 23241 4886550&url= 
%68%74%74%70%3a%2f %2f %3 1 %32%37%2e 
%30%2e%30%2e%3 1 








API Redirect Loops 



I * Triangle of Death 

► (Rectangle|Pentagon|Hexagon|Octagon) 









Call Yourself 
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http://www.a.hi5modules.com/gadgets/proxy? 

refresh=1 &v=1 23241 4886550&url=http://www.a.hi5modules.com/gadgets/ 
proxy?refresh=1 &v=1 23241 4886550&url=http://www.a.hi5modules.com/ 
gadgets/proxy?ref resh=1 &v=1 23241 4886550&url= 








OAuth Session Fixation 



* http://www.oauth.net/advisories/2009- 1 / 









Flickr 



I * Flicker API Signature Vulnerability 

► http://netifera.com/research/flickr_api_signature_forgery.pdf 
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Evaluate 



* Know the proper responses for API calls 

► Return data format 

► Response messages 

► Look closely at error conditions 

* Valid responses to invalid data can be fun :) 

► Information disclosure 

► 3rd party connections 








Threat Model 
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1. Identify Security 
Objectives 
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Identify Risks 



Spoofing 



Tampering 



Repudiation 



Information 
Disclosure 



Denial of 
Service 




Elevation of 
Privilege 







Scope Your APIs 



* What is the intention of the API? 

► Know your intended consumers / users 

► Consume or Integrate 

► Implement least privilege 

* Handle the functionality properly 

► Data flow 

► Authentication and session management 

► Depth of functionality 








Proper Design 



I * External Content 

► Handle segregation and canvas issues 

► Keep exposure areas away from main content 

* Data and input validation 

► Don't trust external content 

► Ever 

► Never 








A Few More 



* Code management 

► No dev code in prod 

► Service reduction in wrapped services 

► Security testing prior to release 








Nmts 
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MonkeyFist 



* MonkeyFist: PoC Dynamic CSRFTool 

► http://hexsec.com/labs 

► Creates payload / patterns based on referer 

► Automates per-request, "dynamic" CSRF 

► Constructs hidden POSTs, redirects, refreshes 

► Makes request for tokens or steals from referer 
(fixation) 
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Dynamic Redirect 




Red i 'eel w/ Session Dala 



Host w/ Redirect 
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POST Construct 





© 
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Host Making POST 








I 




Dynamic Page Attack 





Legitimate Link Destination 




Unintended Request Destination 
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Fixation Attack 





Legitimate Link Destination 




Unintended Request Destination 



Host w/ Page 








Questions? 



? 



I * Nathan Hamie 



► Blog: www.neohaxor.org 

► Email: nathan{at}neohaxor{dot}org 

► Twitter: nathanhamie 



► http.7/hexsec.com 




